From nobody Tue Dec 19 00:49:00 2023 X-Original-To: bugs@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4SvJ3c6WM6z54Mkx for ; Tue, 19 Dec 2023 00:49:00 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4SvJ3b6xkfz4sLZ for ; Tue, 19 Dec 2023 00:48:59 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1702946940; a=rsa-sha256; cv=none; b=SxnQOvRSzjW6hlq3N22cJ1mB+i6IUA6nzx8fcaZDf6AavmVqYP92e+pvlQkACL0MZt4/7+ 8IV8vr36gI1z0V7keA1MOIKVPmdT1u55wG1/6+NoF/ictzxDMIX/XRmLb/yHZytnqkvj7c T6S2UksERFkEOK0SlZ/eVIJTJ/umU34XVPAVrs9uwNg4p5cw4U+4ccVnq+j2u323+6a0lv aL8GdBYsltzf3LSwZO1GQHY7UhoLuYXn3JVaE4PD1IN4sGwyxDs98C4AKyid4/yTzU6X4W 4YUsBbIlNoNsMLW714uOvegkwXbqdqLKAF3YqNyU6YU2bFzfjIZPzrTJCR2Xug== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1702946940; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=uAPeerzW31bZPf4Mhct/b25t15dWSefHzpXOKy/9Bpw=; b=h8yUO7u369GXiN1YR/etFN6PkAtZxf2gLe6wHQRxrs+qqJU3J3tib7c0XLq15aU/51SAxJ 4lNKzwKY8QbOPk6YrnIatvOe0h9DaNH7h+a90HCNWO9fWZzY5x7cFUi6cVmrH0u6u0kemw exvIFGppROYASTd40nD/A8x21dBT2hmhicr/d4qqbzbStfXgNwCU2YRyVa8781r6cU9KjS YR4dSM5Z/ltB/Zq042wwM9BprbDPaUeUjQGl6KAfxKpONeFlX765/XMD/EW5OgHt1SV8ni H6sVkkPnEhKorMZ9H4WL4NdmFP189ZQExptoGFcd1USucWSk+LO1FpBsR4AjXQ== Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4SvJ3b5hgGzjnk for ; Tue, 19 Dec 2023 00:48:59 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 3BJ0mxYE080757 for ; Tue, 19 Dec 2023 00:48:59 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from bugzilla@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 3BJ0mx3q080756 for bugs@FreeBSD.org; Tue, 19 Dec 2023 00:48:59 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: bugzilla set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 272151] panic: use-after-free tty race condition Date: Tue, 19 Dec 2023 00:49:00 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: CURRENT X-Bugzilla-Keywords: crash X-Bugzilla-Severity: Affects Many People X-Bugzilla-Who: commit-hook@FreeBSD.org X-Bugzilla-Status: Open X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: bugs@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Bug reports List-Archive: https://lists.freebsd.org/archives/freebsd-bugs List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-bugs@freebsd.org MIME-Version: 1.0 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D272151 --- Comment #4 from commit-hook@FreeBSD.org --- A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=3Dacd5638e268a6706f6b7ad84947a8425e= 8d51ef7 commit acd5638e268a6706f6b7ad84947a8425e8d51ef7 Author: Robert Wing AuthorDate: 2023-12-19 00:40:46 +0000 Commit: Robert Wing CommitDate: 2023-12-19 00:40:46 +0000 tty: delete knotes when TTY is revoked Do not clear knotes from the TTY until it gets dealloc'ed, unless the TTY is being revoked, in that case delete the knotes when closed is called on the TTY. When knotes are cleared from a knlist, those knotes become detached from the knlist. And when an event is triggered on a detached knote there isn't an associated knlist and therefore no lock will be taken when the event is triggered. This becomes a problem when a detached knote is triggered on a TTY since the mutex for a TTY is also used as the lock for its knlists. This scenario ends up calling the TTY event handlers without the TTY lock being held and tripping on asserts in the event handlers. PR: 272151 Reviewed by: kib, markj Differential Revision: https://reviews.freebsd.org/D41605 sys/kern/tty.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) --=20 You are receiving this mail because: You are the assignee for the bug.=